Set up DMARC and see who's sending email using your brand's domain.
x

Responsible Disclosure Policy

Keeping customer data safe and secure is our top priority.If you’ve discovered a security vulnerability, please do not share it publicly.

Instead, report it to us using our RESPONSIBLE DISCLOSURE FORM.

Rules for you

  • Avoid data deletion, unauthorized data access, and service disruption while testing the vulnerability you found.
  • Do not access or modify, or attempt to access or modify, data that does not belong to you.
  • Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
  • Do not run any automated tools against our servers without prior coordination.
  • Do not try to abuse our servers’ resources, including but not limited to sending unsolicited or unauthorized email.
  • Do not publicly share the issue details until we confirm that it’s fixed.
  • Do not attempt to blackmail us, or try to sell us your security report.
  • When in doubt, contact us at support@postmarkapp.com.

Rules for us

  • We will not pursue any legal action against you, if you obey the rules above.
  • We will reply to all correctly submitted reports, and we will work with you on fixing the issue.
  • We will perform our own risk assessment for every reported vulnerability.
  • If your report is not eligible, we will let you know the reason why.
  • We will let you decide whether you want to be publicly acknowledged for your report.

Target Info

  • Testing is only authorized on the targets listed as In-Scope. Any domain/property of Postmark not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.
  • `account.postmarkapp.com` - The web interface for the Postmark service. Researchers are invited to test all aspects of this application, keeping in mind the strict program guidelines and exclusions.
  • `api.postmarkapp.com` - The API interface for the Postmark service. Researchers are invited to test all aspects of this API, keeping in mind the strict program guidelines and exclusions.

Credentials

  • Accounts can be self-provisioned using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here. You can self-provision accounts for the Postmark application at https://account.postmarkapp.com/sign_up.

Known risks:

  • Weak password policies
  • Unlimited maximum password length
  • Lack of CAPTCHAs on certain forms
  • Internal IP address disclosure
  • Lack of use of hardfail (-all) on SPF records
  • Lack of a "reject" record in DMARC
  • Session cookie is valid after logout
  • Cookie secrets are reused across multiple devices
  • No rate limiting on web forms

Out of Scope

  • Known vulnerabilities in 3rd party libraries and software used by Postmark (unless you can prove exploitability).
  • Known vulnerabilities in the components of our technological stack reported within 48 hours since their public reveal.
  • XSS on any domain other than postmarkapp.com
  • SSL/TLS Issues such as: BEAST, BREACH, SSL insecure cipher suites enabled.
  • Security issues, only reproducible under highly unlikely conditions (using outdated or exotic web browsers, operating systems, or insecure internet connections)
  • Bugs or functionality that proves that a tested email address exists in our database as well as the theoretical ability to brute-force such functionality.
  • Ability to sign up and use our services without confirming an email address.
  • Missing security headers (unless you can prove exploitability)
  • Password brute force (as noted in exclusions list)
  • Reports for www.activecampaign.com should be reported to the activecampaign vdp and are not eligible for reward in this program.

Bounty

At our discretion and if our disclosure policy is followed, the reported security issue may be eligible for a cash reward.

Please report any security vulnerabilities using our RESPONSIBLE DISCLOSURE FORM.

Thanks for your support!

We’re grateful to the following people who have helped us improve the security of Postmark:

Please report any security vulnerabilities using our RESPONSIBLE DISCLOSURE FORM.

Last updated September 18th, 2023

Still need some help?

Our customer success team has your back!